Oracle v. Google: Now the Fair Use Argument for Java APIs

Now that the Supreme Court has decided not to review Oracle America Inc. v. Google Inc., the long-running lawsuit returns to the Federal Circuit Court in San Francisco, where Google will have a chance to argue that its use of 37 Java APIs -- now considered copyrightable becuase of the Supreme Court's pass -- in its Android operating system falls under the doctrine of fair use.

Oracle has won a significant argument here, but not the lawsuit. You could say that Google has a Plan B. But what exactly is "fair use," and how do you prove it in court?

The U.S. Copyright Office defines fair use as "a legal doctrine that promotes freedom of expression by permitting the unlicensed use of copyright-protected works in certain circumstances." Federal courts decide fair use issues using four criteria:

  • the purpose and character of the use (is it commercial, nonprofit, educational, etc.)
  • the nature of the copyrighted work (is it a novel, movie, song, technical article, news item)
  • the amount and "substantiality" of the portion used (how much of it was used and was that the "heart" of the work)
  • the effect of the use upon the potential market value of the work

There's also the question of whether the use was "transformative." Transformative uses, the Copyright Office says, "are those that add something new, with a further purpose or different character, and do not substitute for the original use of the work."

"Fair use is a fact-specific inquiry," explained attorney Case Collard via e-mail. "It depends on what the item is that is copyrighted and how the entity claiming fair use is using it."

I reached out to Collard, a partner at Dorsey & Whitney, who specializes in intellectual property disputes and developing strategies for safeguarding intellectual property rights, to get his take on the latest development in the Big O versus Big G saga. He said the Federal Circuit's decision, which will now stand, laid out something of a road map for how Google might apply a fair use argument.

"In my opinion, the biggest problem for Google is the commercial nature of its use [of the APIs]," he said. "That is generally a strike against finding fair use. Its best argument is probably interoperability -- in other words, it should be fair use because Google must use the APIs in order to make its products interoperable."

Both the Federal Circuit and the White House recognized that Google was entitled to a fair-use defense. At the high court's request, the U.S. Solicitor General actually weighed in with an amicus curiae brief.

"Petitioner argues that its copying of respondent's code promoted innovation by enabling programmers to switch more easily to another platform," he wrote. "But it is the function of the fair-use doctrine... to identify circumstances in which the unauthorized use of copyrighted material will promote rather than disserve the purposes of the copyright laws." And he concluded: "Although petitioner has raised important concerns about the effects that enforcing respondent's copyright could have on software development, those concerns are better addressed through petitioner's fair-use defense…"

But the legal eagles at the Electronic Frontier Foundation (EFF), a California-based international nonprofit that advocates for digital rights, argue that fair use should not be the only defense against API copyright claims.

"Fair use is a complex and potentially expensive defense to develop and litigate," EFF legal director Corynne McSherry and special counsel Michael Barclay wrote in a blog post. "While Google has the financial resources to take that defense to trial, few start-ups have the ability to do so. The Federal Circuit's decision thus could deter new companies from competing with a large, litigious competitor by using the latter's APIs..."

The EFF is one of the staunchest opponents of API copyright. In an amicus brief filed in support of Google last year on behalf of 77 computer scientists, the organization articulated some widely held fears about the consequences of the appeals court's decision that the APIs are protected under U.S. copyright law. "The Federal Circuit's decision poses a significant threat to the technology sector and to the public," the brief stated. "If it is allowed to stand, Oracle and others will have an unprecedented and dangerous power over the future of innovation. API creators would have veto rights over any developer who wants to create a compatible program -- regardless of whether she copies any literal code from the original API implementation. That, in turn, would upset the settled business practices that have enabled the American computer industry to flourish, and choke off many of the system's benefits to consumers."

IDC analyst Al Hilwa is less apprehensive about the potential impact of API copyright.

"The impact will be felt in various ways," Hilwa told me. "APIs are likely to be more explicitly associated with terms of use, for example, and potentially with more lawsuits relating to interoperability. But it also means that developers wanting to bring alternative implementations of a system may choose to be less imitative of the behavior of the system, and more innovative by creating entirely different competing systems. I think we just have to wait and see how it plays out."

"In the end, it may not matter to developers much whether APIs are copyrightable, if (big if) they can be used under the fair use doctrine," Collard said. "In other words, after this is all said and done, if the fair use doctrine allows developers to use APIs without fear of a lawsuit, then it would have a very similar practical effect."

"Fair use" is codified in the U.S. in section 107 of the Copyright Act of 1976.

Posted by John K. Waters on 07/08/2015 at 9:43 AM0 comments

VMware: Making the Developer a First-Class Datacenter User

Among the more interesting vendor announcements at last week's DockerCon was VMware's preview of two new products: AppCatalyst and Project Bonneville. Both are emblematic of VMware's relatively newly amped up effort to, as Kit Colbert, vice president and CTO of VMware's Cloud-Native Applications group, put it, "make the developer a first-class user of the datacenter through our cloud-native applications."

Colbert gave me a preview of the previews before the show, and explained why the server virtualization giant is pulling out all the stops to create developer-friendly tools.

"We all know that all companies are a becoming more like software companies, in the sense that software is the means by which they engage with users," he said. "IT is now less about minimizing costs and more about driving innovation and differentiation. Consequently, there has been this renewed focus on developers within enterprises and how to empower them, which will drive that business agility and velocity companies are looking for."

VMware responded to that trend with launch of its Cloud-Native Applications group back in April, along with Project Photon, a lightweight Linux distro optimized for cloud-native apps, and Project Lightwave, an open source identity and access management solution for containers.

The group showcased its two latest projects at the Docker event in San Francisco. AppCatalyst is a desktop hypervisor aimed specifically at developers. Driven by a REST API and a Command Line Interface (CLI), it's designed for Linux container development (Docker is fundamentally a Linux technology) by devs working on Macs. It supports Docker Machine, integrates with HashiCorp Vagrant, and ships with Photon.

"We wanted to provide developers with an easy-to-use engine to run their applications, but also to optimize it so they can speed up the local build/test/run/debug cycle," Colbert said. "It's like a datacenter on their laptops."

Project Bonneville is a nascent native container solution for VMware's hypervisor. It's a Docker runtime that will allow users to create containers directly on VMware's ESXi bare-metal hypervisor via the Docker API. The project aims to enable the seamless integration of Docker containers into the vSphere server virtualization platform -- to, as the company says, "bring the VMware ecosystem to Docker containers."

"Developers are flocking to Docker," Colbert said. "It has a lot of momentum. The question for us is, how do we get the ease, speed, and flexibility of the Docker API mapped onto vSphere and give those containers the same level of management and monitoring that the VM infrastructure has today."

Ben Corrie, principal investigator on Project Bonneville, offers a great explanation of the project's approach in a company blog post: "... The pure approach Bonneville takes is that the container is a VM, and the VM is a container. There is no distinction, no encapsulation, and no in-guest virtualization. All of the necessary container infrastructure is outside of the VM in the container host. The container is an x86 hardware virtualized VM -- nothing more, nothing less."

"What this means to a developer," Colbert said, "is that ESX will look like a Docker host, indistinguishable from any other Docker host."

Bonneville comes with Instant Clone, a new feature in vSphere 6 that makes it possible to clone a running VM, which makes it possible to get a new VM booted up and running in less than a second, Colbert said.

Although the focus in the next-gen-app world is around Linux, Bonneville is being designed to run Docker containers on any OS. During a recent internal hackathon, Colbert said, some creative VMwarians used a vanilla Docker client to pull an image of the old school Lemmings game and run it on MS DOS 6.22.

"They were just having fun with it, but I think it's a great proof point of the generalization of the technology," Colbert said.

AppCatalyst was released as a technology preview at DockerCon, and it's available for download here. VMware expects to make it generally available later this year. The company is currently distributing Project Bonneville internally and expects to begin private beta testing in the third quarter of this year.

Posted by John K. Waters on 07/06/2015 at 7:16 AM0 comments

GitHub Announces Atom 1.0

It took 18 months, 155 releases, and the efforts of hundreds of contributors to get here, but version 1.0 of GitHub's Atom text editor is now available. First released to open source in May 2014, Atom is a customizable, cross-platform text editor built with HTML, JavaScript, CSS and Node.js integration. It runs on the Electron framework, and it works on OS X, Windows or Linux.

It's an understatement to say that this "hackable text editor for the 21st century" has proved to be popular. Since it was released last year, Atom has been downloaded 1.3 million times, GitHub says, and it now has 350,000 monthly active users. That sizeable community has to date created 660 themes for the editor and 2,090 packages. And some big names have added Atom to their enterprise tool belts, including Facebook, which based its new, open source Nuclide IDE on Atom.

What makes Atom such a great innovation for developers? Let's start with the "hackable" part.

"Your dream editor and my dream editor are not the same thing," GitHub senior engineer Ben Ogle, a core engineer on the Atom project, told me. "I like a dark theme; you like a light theme. I write front-end code for websites; you write system code. We should not have to use the same editor. What we want at GitHub, and what Atom gives you, is total control over the editor so you can make it your dream editor."

In other words, developers can tweak Atom's look and add features that suit their individual needs.

"We want you to feel empowered to dig in," Ogle said. "That's why we built Atom on familiar technologies. You won't need to learn something new like you would if you were to, say, extend Emacs. "With Atom, you can use the knowledge you already have."

And the "21st century" part?

I think that was best explained to me last year by Nathan Sobo, a founding member of the Atom team.

"Now that we're in this polyglot world, you'll notice that whenever a new programming language starts to emerge, the first tools available for it are always Emacs and Vim," Sobo said. "It always starts with this very general purpose editor that someone has extended to make themselves more productive in this environment. So we developed Atom is to provide a tool that accelerates that process. A new language comes along and very quickly people can build fantastic tooling around it without having to wait for some business to get started that needs a guaranteed capital flow to build a customized product around that language."

Atom is the brainchild of GitHub founder Chris Wanstrath, who, the story goes, began experimenting with a desktop editor based on Web technologies back in 2008. He called it "Atomicity," and worked on it as a side project, until it was shelved in 2009 while he focused on the launch of Wanstrath later revived the project, which evolved into Atom.

GitHub looks at Atom 1.0 as a foundational release that will support a burgeoning community, Ogle said. "We focused on the core editing experience and modularity [in Atom 1.0]," he said. "Now we have this giant community around us, with tons of core contributors. Lots of them have push access, but don't work at GitHub. It's getting to the point where we're really just shepherding the community," he said.

How does Atom fit into GitHub's overall social coding mission?

"It's called social coding, but what that means is that our mission is to help people work better together," Ogle said.

"Atom is part of that mission, long term," Ogle said. "We're defining the base with this release, but down the road we will be asking, what does it mean to have social coding in your editor? Editors are, historically, very individual things with no social component. What we're thinking about is how we might bring the social ideas from GitHub into your editor."

And in case you're thinking that the release of a new text editor, no matter how "hackable" and "21st century" it might be, is small potatoes, consider this insight from my interview with Sobo: "There is no more personal relationship that a programmer has to anything in his or her career than to their text editor," he said. "It's literally in the muscles of your hands! Even as you're crossing programming languages, the text editor is the one thing that can go with a developer for their entire career."

Ogle put together lots of details about the Atom 1.0 release, including lots of links and a more complete history, in a great post on the GitHub blog.

Posted by John K. Waters on 06/26/2015 at 1:24 PM0 comments

Onno Kluyt on Java at 20

I knocked on quite a few doors last month, looking for Java mavens to talk with about the language on its 20th birthday. Lots of people got back to me (I think they got tired of the banging), and I heard some great stories. But I was surprised that, to my first question -- "What has been the most significant change in the Java language and/or platform in the past 20 years?" -- no one answered, "Open sourcing Java." It's probably the way I phrased the question, but I remember Java jocks clamoring back in the day for Sun to release their beloved language under an open source license.

Onno Kluyt, who chaired the Java Community Process (JCP) from 2002 until he stepped down in July 2006, helped build the OpenJDK community and, as he puts it, "held the JCP together while we were doing the open sourcing and building that other community." I asked him the question I should have asked: "How important was the open sourcing of Java?"

"Looking back on it, it was too little too late," Kluyt told me via e-mail. "Linux was already very well established, and Android had happened. If Sun had open sourced Java two or three years earlier, some of the history might have played out differently. But the Microsoft lawsuits made that timing impossible."

You might remember that Sun sued Microsoft for $35 million in 1997, claiming that Microsoft breached its contract by trying to extend Java so it would work differently, and, MSFT argued, perform better, on Windows computers. They didn't settle until 2003. Three years later, Sun released quite a bit of Java under the GNU General Public License (GPL), and a year after that, finished the job.

You might also remember that Kluyt took some heat in 2003 for asking the community, "What do you think [the open sourcing of Java] does that people can't do today?"

"There were a lot of misconceptions about what Sun's license for Java before the open sourcing (SCSL) allowed or didn't allowed you to do," Kluyt explained. "It was a lot of more open and lenient than most developers were aware of. And so I asked that question a few times during developer events to get a discussion going about what developers felt they needed to do with the code base, what they wanted to do, and of those things what they believed they couldn't do now. To some extent Sun's open sourcing of Java was a symbolic act. It didn't really mean a change of heart about code contributions from the outside [or] a loosening of its grip on the core APIs. Put the code base under a well-known free and open source license and move on."

So, what was the most significant change?

"Over this time span that is a little difficult to answer," Kluyt said. "I would probably pick the HotSpot VM technology and the concurrency APIs, which together gave Java near-native performance and enabled large-scale, real-world deployments. But there are so many others: generics, closures, the added byte code making it much easier for other programming languages (Scala for example) to run on top of the JVM, servlets, JSPs.

What it is about the JCP that has allowed it to continue supporting Java in all its forms?

"Internally we often paraphrased Churchill: it's the worst kind of governance except for all the alternatives," he said. "Java has one inventor and one owner: first Sun and now Oracle. But it has interest from companies large and small beyond that one actor. And there were and are many great opinions and expertise outside Sun/Oracle on how to evolve it. In the JCP, Sun found a tolerable way to allow that outside influence, while keeping its seat at the head of the table. Sun could not, and now Oracle cannot, push through Java changes without some decent support from its competitors, and conversely, those competitors cannot push through significant change without some buy-in from Oracle. So both sides need each other. It came close to blowing up about two or three times but in the end: see Churchill's quote."

What is it about Java, the language, that has allowed it to evolve and thrive all these years?

"One half is the language; the other half is the platform, the virtual machine," he said. "Java was the first well-adopted language that had security and networking built in, that had a memory management model that shielded developers. Its syntax was easy to learn for C/C++ developers, its OOP concepts were easier to grasp than Smalltalk, and it made supporting multiple platforms significantly better than anything else around. Sun was also luckily with the adoption of Java in that its timing was great; the World Wide Web was just emerging and Java's characteristics happened to lend itself very well for that."

How important was the development of the Java platform?

"Maybe I'll answer it this way," he said. "No Java, no Android."

More on This Topic:

Posted by John K. Waters on 06/09/2015 at 11:48 AM0 comments

Java at 20, Part 3: Q&A with JCP's Patrick Curran

More on This Topic:

Java turned 20 last week and I've been talking with Java mavens and industry watchers about the history and current state of the language and platform at the end of its second decade. I was especially glad to hear back from Patrick Curran, who has served as the chairman of the Java Community Process (JCP) since 2007. He worked at Sun for 15 years before that, where, among other things, he led the Java Conformance Engineering team in Sun's Client Software Group. That group was responsible for developing Technology Compatibility Kits (TCKs) for Java SE and Java ME. (There was a separate team for Java EE.)

When he was at Sun, Curran reported to Onno Kluyt, who was the previous chair of the JCP. "Onno wanted to move on to other things," Curran told me, "and he passed the job on to me."

The JCP, of course, is the standards-development organization for Java. That group has gone through some significant changes of its own since Oracle acquired Sun in 2010, including a multi-year effort to reform its governance and processes with such initiatives as, and the merging of two JCP Executive Committees. The organization is now wrestling with the challenge of revising the Java Specification Participation Agreement (JSPA), which Curran has called "big and scary."

I talked with Curran via e-mail.

Waters: What has been the most significant change in the Java language and/or platform in the past 20 years?

Curran: I'd nominate the introduction of Generics in Java SE 5 as the most significant language change, since this enabled the creation of a type-safe collections framework. As for the platform, the use of annotations in Java EE 5 greatly simplified the programming model by eliminating the need for XML descriptor files. Looking forward, I believe that the introduction of modularity in Java SE 9 will also prove to be extremely significant, quite possibly in ways that we cannot currently predict.

Waters: The JCP is a little younger than Java itself, but it has seen some significant changes of its own since it was establishe -- in the past few years especially. You have told me that its core mission has remained intact, and that those changes were made to better fulfill that mission. But Java has come such a long way from its webby, applet-making origins to become an essential enterprise technology. I guess I'm wondering what it is about the JCP that has allowed it to continue supporting Java in all its forms.

Curran: The strength of the JCP is the fundamentally simple model of a group of interested experts defining specifications through a formal process that includes public review and oversight by an Executive Committee (EC). The process has always been flexible enough not to define exactly how the Expert Groups should do their work. This has permitted a natural evolution (with a little help and direction from the EC in the form of revisions to the Process) from the early days of relatively private deliberations by representatives of large corporations to the current, much more open and collaborative model. It's a Community Process, and that's its strength.

Waters: What is it about Java, the language, that has allowed it to evolve and thrive all these years?

Curran: Its simplicity, ubiquity -- thanks to the wide availability of virtual machines -- and its compatibility (Write Once Run Anywhere).

Waters: How important was the development of the Java platform?

Curran: It's difficult to over-estimate the importance of the Java platform. Basing it on the Java Virtual Machine, which could be (relatively) easily ported to different hardware and OS environments, made it possible for the first time to develop applications that, in turn, would run in all of those environments. Before Java, it was difficult if not impossible to port programs between environments. Now it's no longer necessary, and we can run identical programs on everything, from the smallest embedded processor to the largest supercomputer or cluster.

Waters: I know this is tricky, but who, besides James Gosling, makes your list of the most important figures in the evolution of Java?

Curran: Rather than call out a small number of people I'd prefer to recognize the very large number, many of them anonymous or certainly not well-known, who have helped to make Java what it is today through their participation in the JCP and in open-source development projects. Java has been successful precisely because of the collaborative way in which it has been developed. James Gosling started it, but it's the community that has developed it and made it successful.

Posted by John K. Waters on 05/29/2015 at 4:25 AM0 comments

Java at 20 Years, Part 2: Still Top Dog After all these Years

More on This Topic:

It has been 20 years since the first version of Java was released to the public, and according to the TIOBE Programming Community Index for May, it's still the most popular kid in school. As I mentioned in an earlier post, Oracle is marking the anniversary with a Web site with lots of links to articles and video clips. Definitely worth a visit.

I've been talking to Java mavens about why, despite licensing controversies, seemingly endless security challenges and the rise of languages like Node.js, Python, Google Go and JavaScript (which apparently also turned 20 this month), Java continues to win so many hearts and minds.

RedMonk analyst Stephen O'Grady said the design of the language offered key development advantages over closer-to-the-metal languages like C or C++, which ensured Java's initial relevance. But the key to Java's longevity has been the widespread industry support it has enjoyed. "By serving as common ground between large industry competitors and a sea of enterprise applications," he said, "Java reached the critical mass that granted it a role of importance and kept it evolving along the way."

O'Grady also agrees with Kim Polese, whom I interviewed in Part 1, that the adoption of Java syntax for the Android platform was a key step in ensuring the language's relevance for an entirely new class of developer.

"The development of Java, which began its life as set-top box OS, has been tremendously important for the technology industry," he added. "It has been an enterprise standard for decades, is the common denominator among many Big Data platforms and is unofficially the language used to write huge numbers of mobile applications. That's a solid track record." (If you're not reading O'Grady's tecosystems blog, you should be.)

IDC analyst Al Hilwa pointed to Java's ability to address both server and cloud back-ends and desktop, mobile and embedded devices as critical to the language's longevity. He also cited the maturity and scale of the language after continuous improvement, and a good system of governance.

"Java offered one of the first machine abstracted technologies that minimize the sacrifice to performance," Hilwa added. "This abstraction allowed the technology to be portable and also much easier to develop high quality code compared to technologies like C/C++, which are much closer to the machine. That an ecosystem developed quickly around Java in the mid to late 1990's by a number of large vendors, most notably IBM and Oracle, essentially closed the deal and elevated it above any alternatives."

Eclipse Foundation executive director Mike Milinkovich looked back to the support of inner classes in Java 1.1 as a milestone in the evolution of Java, followed by lambdas in Java 8, and the inclusion of the invokeDynamic bytecode in Java 7. But the most significant change for Java, he hastened to add, is probably the most anticipated since lambdas: modularity, which is coming in Java 9. Those other developments "pale in comparison," Milinkovich said. "That is, in my mind, the biggest change to both the language and the platform since its inception."

I also asked about the importance of the development of the Java Platform, and Milinkovich made a fascinating comparison.

"A lot of people hate it when I say this, but Java is this generation's COBOL" he said. "I mean that in an entirely positive way. Java is the programming language that runs an entire generation of enterprise and industrial infrastructure. And just like COBOL, that means that it will be around for many decades to come. But what is even more fun is that innovation and invention continues both in the Java platform and language, and on top of Java in the ecosystem. The combination of being firmly entrenched as the de facto infrastructure language, but with continuing innovation, makes Java the language and platform that matters now and for many years to come."

I touched base with the ever insightful Wayne Citrin, CTO of JNBridge, who argued that the most significant change in Java was the shift in emphasis to the server-side after Sun realized that the original client-side emphasis (set-top boxes, applets in browsers, rich-UI applications) wasn't getting enough traction. "While client-side Java is still worked on," he said, "and new features are being introduced, most attention—and the effort of developers—has long been on the server side."

But he also pointed to managed code and runtimes. "Managed code and runtimes have been one of the most important developments of the last 25 years," Citrin said, "and Java was the first really popular language with a true managed runtime. It showed that managed runtimes were practical for real-life applications. I know there's a move in some quarters back to native runtimes, but I think this is an accommodation to some specialized areas, such as gaming and underpowered mobile devices, but this is a temporary situation, and I suspect those areas will eventually start using managed runtimes, again, too, since they're so much easier to develop for."

I also checked in with jClarity CEO Martijn Verburg, who sees the Java Virtual Machine (JVM) as the secret behind the enduring power of Java. "Even when it waned in popularity for the couple of years, the JVM is so compelling that developers have stuck with it, and now, of course, the language is finding its mojo again," he said.

I asked Verburg what he saw as the most significant change in the language/platform in the past 20 years, and he pointed to Generics, which he said had both a good and not-so-good impact. "It guided developers towards increased type safety for objects as well as primitives," he said, "which vastly improved the safety of much code that came out of enterprise Java shops. However, due to the mismatch with the primitive type system, there have always been significant cracks in the Generics implementation, which will still take one to two more iterations of Java to fix."

Verburg also sent me his "media quote," which I think is worth sharing, because it summarizes the state of Java well: "Java directly or indirectly touches just about every human on this planet. It is the glue that allows mobile health and banking in remote areas of the world, entertains millions with games such as Minecraft, and drives the economic engine of our global markets."

In case I haven't said it already, Happy Birthday Java.

Posted by John K. Waters on 05/26/2015 at 4:27 AM0 comments

Java at 20 Years, Part 1: What’s In a Name?

More on This Topic:

Unless you've been coding in a cave you know that Oracle is marking the 20th anniversary of the release of the first version of Java for public use, which happened on May 23, 1995. Big O has set up a nice Web site with lots of links to articles and video clips commemorating "20 years of Java innovation." If you haven't checked it out, you should.

I've talked with a bunch of people this week about Java's big birthday, including the person credited with naming it. Twenty years ago, Kim Polese served as the original product manager for Java at Sun Microsystems. She left the company in early 1996 to found Marimba, one of the first Internet-based software management companies, with former Sun engineers Arthur van Hoff, Jonathan Payne, and Sami Shaio. She later served as CEO of SpikeSource, an automated software testing company acquired by Black Duck in 2010. She is currently the chairwoman of ClearStreet Inc., a social finance startup focused on "helping people eliminate debt and achieve long-term financial health," and CrowdSmart, which enables university alumni and students to "collaboratively engage, support and profit from alma mater startups."

When it was 'Oak'
Polese spent about seven years at Sun, during which time she worked on the overall development and promotion of the Java brand, including its business strategy, licensing model, marketing communications, and developer evangelism. She first saw Java (then called "Oak") at an internal Sun conference.

"I got a sneak peek of Oak on a device called the Star 7, which had been created to demonstrate the vision behind the language," she told me. "At the time I was the product manager for C++ and object oriented technologies at Sun. Once I saw Java and I realized it's power, I came on board as the product manager."

When it was originally conceived, Java was called a "Green" or "Project Green," depending on whose memory you trust, and Sun actually spun out a separate, wholly owned organization to tackle it. That organization was called FirstPerson, Polese recalled.

"We were housed in a different location from the mothership, in downtown Palo Alto, at 100 Hamilton Ave., which is where Palantir is now," Polese said. "Very few people at Sun knew we existed."

In her new role, Polese's responsibility was a daunting one: to make Java ubiquitous. "I remember feeling the enormous responsibility of my job, because I knew well the potential of this technology," she said. "On the team, our goal was simple: ubiquity or go home."

Former Sun CEO Scott McNealy had begun proclaiming that "the network is the computer" back in the late 1980s, but even by the time Java debuted, the network -- the Internet -- was still limited and primitive.

Way Ahead of its Time
"Java was a language that was designed for a future networked world didn't exist back in the beginning of the 90s," Polese said. "The World Wide Web and Mosaic were infant technologies back then. Quite simply, Java was way ahead of its time."

And yet, it would be Java's role as a tool for building Web technology that initially defined the language. In those early days, Java was all about applets, Polese said.

"Up until we released Java in May 1995, Web pages could only contain static text," she said. "You could only hyperlink to other Web pages containing static text. Java brought interactivity to the Internet. For the first time you could actually run little applications -- "applets" -- in Web pages."

Before Java was released to the world, Sun worked with individual developers at companies, universities and research institutions, encouraging them to write the first applets to provide more than a tumbling Duke animation, Polese recalled. The idea was to demonstrate Java's power.

"These were some very exciting examples that, when people saw them for the first time, made clear the power and potential of Java," she said. For example, one developer from Lawrence Livermore Labs created an app that displayed the image of a human body; when you moved the cursor over the body you would see MRI slices generated in real time. This app pointed to the potential for doctors to collaborate to diagnose diseases remotely. Another applet from a developer at a Wall Street firm was a spreadsheet calculating the value of an individual's net worth based on their stock portfolio, again, in real time. This pointed to the potential for applications in financial services. These were just a couple of the early examples, but they were critical in demonstrating to the world the power and potential of Java when it was released."

Ultimately, Java's first decade would be about enterprise applications and enabling the first generation of the commercial Internet, Polese said. Not surprisingly, her first company, Marimba, pioneered enterprise application deployment and management based on Java.

"For the first time, companies could develop and deliver platform-independent enterprise applications and remotely manage them to any desktop or device inside or outside the firewall, securely and reliably," she said. "This was a huge breakthrough for enabling the ubiquitous adoption of the Internet as a platform for doing business."

Nearing Ubiquity
Now at the end of its second decade, Java isn't exactly ubiquitous, but it's a lot closer -- thanks in no small part to the advent of the Android OS, Polese said. "Java was designed for a future world in which a ubiquitous network would connect us all to each other and to unlimited numbers of devices and embedded systems," she said, "a network that would also connect those devices to each other (a.k.a. the Internet of Things.) With Android, Java is now in billions of devices, and this vision is being fully realized."

So, how did Java get its name? "Oak" (from a tree outside Gosling's office) was popular internally, but Polese felt that the fledgling language needed a moniker that conveyed the idea of waking up the Web. Two brainstorming sessions produced several possibilities, including "Ruby," which would have stood for Runtime Bytecodes, and "WRL" for Web Runner Language. (Web Runner was the name of the browser before it was called HotJava.) "Java" emerged from a riff on the word "caffeine," Polese said.

"We were bringing interactivity to the Web pages," she said, "essentially waking them up with the introduction of applets, so I thought Java would be the best name. But that was not a unanimously held view on the team. In fact, when I held a vote, there was no clear winner. In the end, as product manager, it was my responsibility to choose the name, so I went with Java. I then asked Eric Schmidt, who was running the team at the time, for his thumbs up, which he gave. We had Mark Andersen Design create the logo, and Java turned out to be one of the iconic and enduring brands of the Internet and the connected experience."

More of my conversations with Java mavens about the language and platform at 20 in Part 2.

Posted by John K. Waters on 05/22/2015 at 4:32 AM0 comments

Oracle's 2.5-Year Effort to Re-engineer APEX Bears Fruit

It's probably the most popular development tool you've only kinda-sorta heard of. Oracle's Application Express (APEX) rapid Web app development tool has been around for more than a decade in one form or another, and it enjoys enormous popularity within the Oracle community. The latest incarnation, APEX 5, was released last month. The company spent two years and seven months re-engineering the tool, and according to its creator, Michael Hichwa, vice president of Oracle's Software Development group, it was time well spent.

"This release took us a lot longer than usual," Hichwa told me. "In fact, it was the longest period between updates in the history of APEX, and it included three beta programs. We had a bigger objective this time, and we wanted to get it right."

Hichwa has been leading the APEX team since he developed the tool in 1999. Back then, it was really just him, but today there's a team of about 18 developers working on the tool, he said, and a community of about 300,000.

That number may not seem that high when compared with the communities of Java or PHP developers, but they are a devoted bunch. "From the beginning, we've been community-based," Hichwa said. "We get our momentum and excitement primarily from the community, not from Oracle. In fact, our best conferences are run by our user communities."

Formerly called HTML DB, APEX comes with all Oracle databases, starting with Oracle 11g, and is installed by default as part of the core database install at no additional cost. It's a browser-based environment "that combines the qualities of a personal database, productivity, ease of use, and flexibility with the qualities of an enterprise database, security, integrity, scalability, availability and built for the Web," the company says on its Web site.

The tool is popular in IT departments among those running ERP and CRM applications; they use it to extend and fill gaps. But in recent years, APEX has gained traction for line-of-business development -- sales, finance, procurement and so on. "They all have their particular needs for automation within their business groups," Hichwa explained. "Because APEX has a lower bar, technically, business-area experts who are not full-time professional developers, but who are technical, can use it. These are people who can get their heads around a SQL statement and understand the data model. APEX allows them to create a high-quality Web application quickly, without having to dive deeply into the computer science realm."

Hichwa, who, even after more than 10 years on this project, was fairly bursting with a genuinely infectious enthusiasm for this release, said that more books have been written about APEX than any other Oracle technology (20 books, by my count). Expect to see a lot more later this year covering APEX 5. "We'll be writing a few of them ourselves," he said.

APEX 5 is brimming with enhancements, including Universal Theme, an all-new UI for APEX apps. It's simpler than previous themes and more easily customizable, and it addresses the growing need to build modern, responsive, sophisticated apps without requiring expert knowledge of HTML, CSS or JavaScript, Hichwa said. The new UI also includes a new color palette; icons for easy, visual identification; intuitive workflow-based menus; and improved keyboard and accessibility support.

This release also comes with Page Designer, a new IDE designed to enhance developer productivity for prototyping, design, development and maintenance of APEX apps. The IDE provides a drag-and-drop interface for rapid development of app pages. And an enhanced code editor provides SQL and PL/SQL validation with inline errors, auto completion, syntax highlighting, search and replace with regex support, and undo and redo support.

The list of enhancements also includes new a mobile reporting capability; support for modal and non-modal dialogs; a new calendar; and a collection of Packaged Applications -- 19 APEX apps that can be used out-of-the-box and are supported by Oracle.

A complete list of APEX 5 enhancements and details can be found here.

Posted by John K. Waters on 05/11/2015 at 10:41 AM0 comments

Java Security: It's a Multilayer Problem

Things have quieted down quite a bit on the Java security front during the last year or so. Rare these days are the heart-stopping revelations of zero-day vulnerabilities; and fewer are the grumbling editorials about the lack of end-user update hygiene. (Although, as far as I'm concerned, that issue is still quite grumble-worthy.) Oracle's click-to-play feature was at least partly responsible for a 2014 in which there were no major zero-day Java vulnerabilities discovered and exploited in the wild.

Which is great, but not the end of the Java security story. As long as Java's enormous popularity in the enterprise continues, it's going to be an alluring target, Java security expert John Matthew Holt reminded me recently.

Holt is the CTO of Waratek, a company specializing in Java security, so you could argue that he has vested interest in Java insecurity. But he's right to point out that the Java stack has more than one layer. Even if you manage to keep up with Oracle's patch schedule for the Java platform layer, you still have to deal with the app server layer, the libraries and the business logic. And update schedules vary. For example: Oracle releases Java security fixes on the Tuesday closest to the 17th day of January, April, July and October; Apache releases Struts patches every 72 days.

"I give great credit to Oracle for addressing the vulnerabilities in the Java Platform layer," Holt said. "That's kind of a never-ending battle. Even if an organization manages to keep up with the Java security fixes, the vulnerabilities shift to somewhere else in the software stack."

For example: By my count, there have been 10 Struts vulnerabilities reported over the past two years with a CVSS rating of 9 or 10, which is very high and marks them as critical.

Holt is an enthusiastic proponent of Runtime Application Self Protection, or RASP, which Gartner has defined as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Holt's company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).

"RASP is something very different," he said "We've never had a tool that lives inside the runtime and has the benefit of real, accurate, actionable intelligence about what the application is doing."

Holt's Dublin-based company also recently unveiled its new security technology I wanted to mention called the Taint Detection Engine, which is designed to detect and block SQL Injection attacks without generating false positives or relying on heuristics. The Taint Engine (Pipe down you snickering fifth graders!) is part of the company's AppSecurity for Java product.

As I'm sure you know, a SQL Injection involves inserting malicious SQL statements into an entry field for execution. A successful attack can, among other things, read and modify sensitive data and execute administration operations on the database. Depending on which analyst to pester until he/she emails you back just to shut you up, SQL Injection is responsible for as much as 80+ percent of the records stolen in hacking incidents. It's often at the top of most wanted list at OWASP and the SANS Institute. (OWASP has published a "Cheat Sheet" on SQL Injection that's worth reading.)

"It's insidious," Holt said. "Developers can download these kinds of libraries easily, and incorporate them into their applications. Their managers are happy because they delivered the product on time, but they've got all this code that the organization didn't write, didn't put up to a static analysis tool, didn't get results from, and hasn't been reviewed."

The AppSecurity for Java product performs transparent taint detection and validation of each character in a SQL query in real-time within the JVM. It's a cool product and worth investigating. Waratek went to SaaS and software security consultancy BCC Risk Advisory to have the above claims independently verified. Here's a link.

Posted by John K. Waters on 04/08/2015 at 10:32 AM0 comments

Most   Popular
Upcoming Events


Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.